Generating Random Passwords In ColdFusion Based On Sets Of Valid Characters

Richard White over on CF-Talk asked about generating random passwords in ColdFusion based on his particular business rules. These rules included:

Must be exactly 8 characters in length

Must have at least 1 number

Must have at least 1 uppercase letter

Must have at least 1 lower case letter

Tom Chiverton suggested using ASCII values and randomization, which is a great suggestion. In fact, it is one that I have used myself many times in the past. However, I created this demo based on explicitly defined sets of character data as I feel that it has some benefits; it is more readable and allows for more flexibility in what the character sets are (just my opinion).

That being said, here is the algorithm I came up with in ColdFusion to generate the random passwords:

<!---

We have to start out be defining what the sets of valid

character data are. While this might not look elegant,

notice that it gives a LOT of power over what the sets

are without writing a whole lot of code or "condition"

statements.

--->

<!--- Set up available lower case values. --->

<cfset strLowerCaseAlpha = "abcdefghijklmnopqrstuvwxyz" />

<!---

Set up available upper case values. In this instance, we

want the upper case to correspond to the lower case, so

we are leveraging that character set.

--->

<cfset strUpperCaseAlpha = UCase( strLowerCaseAlpha ) />

<!--- Set up available numbers. --->

<cfset strNumbers = "0123456789" />

<!--- Set up additional valid password chars. --->

<cfset strOtherChars = "~!@##$%^&*" />

<!---

When selecting random value, we want to be able to easily

choose from the entire set. To this effect, we are going

to concatenate all the previous valid character sets.

--->

<cfset strAllValidChars = (

strLowerCaseAlpha &

strUpperCaseAlpha &

strNumbers &

strOtherChars

) />

<!---

Create an array to contain the password ( think of a

string as an array of character).

--->

<cfset arrPassword = ArrayNew( 1 ) />

<!---

When creating a password, there are certain rules that we

need to follow (as deemed by the business logic). That is,

the password must:

- must be exactly 8 characters in length

- must have at least 1 number

- must have at least 1 uppercase letter

- must have at least 1 lower case letter

--->

<!--- Select the random number from our number set. --->

<cfset arrPassword[ 1 ] = Mid(

strNumbers,

RandRange( 1, Len( strNumbers ) ),

1

) />

<!--- Select the random letter from our lower case set. --->

<cfset arrPassword[ 2 ] = Mid(

strLowerCaseAlpha,

RandRange( 1, Len( strLowerCaseAlpha ) ),

1

) />

<!--- Select the random letter from our upper case set. --->

<cfset arrPassword[ 3 ] = Mid(

strUpperCaseAlpha,

RandRange( 1, Len( strUpperCaseAlpha ) ),

1

) />

<!---

ASSERT: At this time, we have satisfied the character

requirements of the password, but NOT the length

requirement. In order to do that, we must add more

random characters to make up a proper length.

--->

<!--- Create rest of the password. --->

<cfloop

index="intChar"

from="#(ArrayLen( arrPassword ) + 1)#"

to="8"

step="1">

<!---

Pick random value. For this character, we can choose

from the entire set of valid characters.

--->

<cfset arrPassword[ intChar ] = Mid(

strAllValidChars,

RandRange( 1, Len( strAllValidChars ) ),

1

) />

</cfloop>

<!---

Now, we have an array that has the proper number of

characters and fits the business rules. But, we don't

always want the first three characters to be of the

same order (by type). Therefore, let's use the Java

Collections utility class to shuffle this array into

a "random" order.

If you are not comfortable using the Java class, you

can create your own shuffle algorithm.

--->

<cfset CreateObject( "java", "java.util.Collections" ).Shuffle(

arrPassword

) />

<!---

We now have a randomly shuffled array. Now, we just need

to join all the characters into a single string. We can

do this by converting the array to a list and then just

providing no delimiters (empty string delimiter).

--->

<cfset strPassword = ArrayToList(

arrPassword,

""

) />

I ran that a bunch of times and here is the list of passwords it created:

RQ5nYqR1 QL3!g8TD*dZWd5rPI5Jvna!5MqG%T38bIgD1BLq^!~51gpZC

As you can see, it is quite random (at least for my powers of perception) and each one complies with the business rules laid out. Of course, if your business rules change, you would have to update the algorithm as needed (and anyone let me know if they want to see a demo of that (based on their business rules)).

While I am not sure I am completely on board with that decision (but I do completely understand it), your comment goes quite nicely with the idea behind using character sets rather than spans of ASCII values. By using a set of characters, it makes it so easy to pick and choose which characters don't make the cut.

When I first responded, I forgot that we were GENERATING passwords and was thinking just about passwords in general, which is why I was hesitant to get on board with the character restricitions. But now that I remember we are dealing with generating (hey, I have a lot on my mind), I totally agree. No need to confuse the end user.

Thanks a ton for your code. I was looking to create a cfscript function to do this so I did the simple mods on what you wrote to make it a function. Here is the code I created from the code in the original comment.

Looks good dude. The only modification I would suggest is to pass in a password length (gt 4) to the function. Right now, you have hard coded 8. It might be a nice little dynamic feature. But looks good.

Thanks Ben, I was starting to write my own and decided to check out your site (once again) since you are the CF King!So many times your site has helped me with my projects.I owe you a few brews if you are ever in upstate NY!

Ben, even 4+ years after your original post this is still coming in handy! You are always a great source for solutions or at least a fresh perspective when trying to solve a problem. Thanks again! Keep up the good work!

cool! There've been many times when I have wanted to do something like this, but as usual am coming across the post late. I can agree with the confusing users thing. When I first read the thing about the I, I forgot about fonts, and I thought O's where the only necessary thing...since I have confused them myself even in just coding (what is worse is that the keys on the board are so close to each other, it is easy to hit the wrong one without realizing it). In the font I usually use, the I has definite lines on top and bottom, and the 1 has a line at the top, but only on one side, slanting down, and of course has the bottom one, so they are pretty distinctive, but I could see how in some fonts they probably look very similar. Same with the lowercase l.

Just a quick note...if you are calling this file like I am, it might help to put this at the top of the file:<cfprocessingdirective suppresswhitespace="yes"><cfsetting enablecfoutputonly="no"><cfsetting showdebugoutput="no">

...and this at the bottom

<cfoutput>#strPassword#</cfoutput></cfprocessingdirective><cfabort>

...that way you just get the password back. I'm using ajax to call it and then populate a form box with the generated password and I'm working on a dev box with all the debug turned on. The code I put in here keeps it returning just the generated password.

Ben, despite this being 4 years old now it's still great. It's taken me a matter of minutes to add this to a site I'm working on currently - many many thanks. Your blog is always outstanding! Big love from England

You're site has been my go to site for years. I put this password code into place years ago and only just now got an error from the * char when coldfusion compared it to the one in a database using SQL (where...password = <cfqueryparam value="#password#" cfsqltype="cf_sql_longvarchar" maxlength="5">). The error was: application error The cause of this output exception was that: coldfusion.tagext.sql.QueryParamTag$InvalidDataException: Invalid data value 4F5*A exceeds maxlength setting 5. I'm guessing coldfusion didn't know exactly what to do with the '*'? Now I'm wondering about the *,#, and % chars since they have can be used for other purposes. Which characters will NOT cause a problem? How about '-' and '_'. Are those safe to put in?